Supplementary Services from PwC
An essential benefit of the alliance with PwC is that ComplianceNow can connect with a world class and global advisory and assurance company, with a proven history towards helping companies implement and strengthen the processes around SAP Compliance. Below you will find a selection of supplementing services from PwC developed to customize and enhance your access control implementation.
Please let us know if you need our support getting in contact with PwC Risk Assurance services close to you.
Access Control Ruleset Services
The ruleset is the engine of any Access Control system. It comprises of a set of segregation of duties (SOD) and sensitive access (SA) risks. SOD risks represent two or more conflicting functions or activities that pose an elevated risk when assigned to a single person. SA risks represent a single function or activity that allows access to sensitive data or transactions.
A common mistake we see made when implementing an access control system is the use of a standard “out of the box” ruleset. Tailoring a ruleset for a client-specific environment is important for the following reasons:
- Allows stakeholders to monitor and address the risks that are relevant to their organization.
- Reduces time spent on monitoring and responding to risks that are, either not applicable, or lower risk for their environment.
- Simplifies and adds clarity to access risk monitoring.
- Incorporates environment specific customization, e.g. Z transactions, that will not be included in the standard ruleset.
- Addresses technical gaps from standard-delivered rulesets to provide the client with complete visibility into their access risks.
- Improves the overall access management processes, including user access requests, role maintenance, and periodic reviews.
PwC’s approach to defining a client-specific ruleset follows a process to establish a fully tailored ruleset that covers the risks unique to your systems and business. This approach involves:
- Defining the key segregation of duties and sensitive access risks specific to the client’s environment;
- Translating the defined risks into technical rules, deploying and validating the new rules;
- Analyzing risk reports to identify the root cause of violations
- Preparing a mitigation and remediation roadmap to address the identified risk violations.
Key Risk Recognition
PwC has leveraged our global experiences and technical capabilities to design a number of proprietary tools to efficiently service our clients. ACE-S is a proprietary tool that supports the design analysis of access and configurable controls. It comes with a comprehensive library of 700 control tests optimized over the last 20 years, including 300 access tests covering various business processes. This test library provides a valuable starting point for key risk recognition workshops with client stakeholders. Workshops with those who know the business best are held under PwC expert facilitation, to pinpoint to those access risk a that are truly key for the specific organisation.
Defining Complete and Accurate Rules
Following risk recognition, we will work to translate the risks into the technical rules, identifying both the SAP standard and client custom authorizations that are applicable to the risk. ACE-S’s built-in accelerators are used during the rule build, to identify the specific parameter settings, configuration and customization in the client’s SAP system. This allows us to tailor each technical rule precisely for the specific system including the addition of all applicable custom transactions.
Analyzing, Remediating and Mitigating
Once the ruleset is deployed in the GRC system, a detailed analysis is performed to determine the cause both roles and user level violations. The PwC team will work with the SAP Security team and Business leads to develop a mitigating control plan for necessary sensitive access assignment and remediation plan for unintended violations.
The governance processes employed to maintain an access violation free environment are often complex and onerous for the business users. PwC can assist in developing practical access approval and governance processes that balance both preventive and detective control activities to achieve continuous compliance.
- User, position and role access clean up
- Complete SAP security role design / re-design
- Organizational Risk and Control identification and documentation, to provide a complete view of access, automated and manual controls within the organisation.
- Governance process design for user administration and emergency access.
- Compliance education and end user training
- Assistance & training with utilizing APM for security projects.